[Resolved] Spammer fakes header with our domain and IP which leads to blacklisting

Recommended Posts

we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP.

Share this post

Link to post

Share on other sites

This would sure be easier to read if we had the tracking URL. If I see this correctly, then it appears that the email was forwarded through 82.165.159.12. Since I am not familiar with this IP, I will take the route of it possibly okay. Another SpamCop user can take that one on.

From what I see, the order of the headers are "Our-IP" and then 185.118.164.141. This would mean that 185.118.164.141 probably used your router to send the email.

If we assume that it did come from your IP, then I would guess you already checked the server logs. The next thing I would check is your NAT router and make sure did not get hacked. I have had email seen plenty of email come directly from routers, where it completely bypasses the email server.

Edited September 12, 2017 by gnarlymarley

Share this post

Link to post

Share on other sites

we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP.

This may or may not be a shared IP (speak to your provider)
That said do a scan FOR MALWARE - THEN Change Password - ALL computers mobiles using that IP
The Malware infection/trojan is described herehttps://www.abuseat.org/lookup.cgi?ip=23.100.9.31

23.100.9.31 is listed
This IP address was detected and listed 73 times in the past 28 days, and 3 times in the past 24 hours. The most recent detection was at Tue Sep 12 09:25:00 2017 UTC +/- 5 minutes
This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably sendsafe.